STIGQter: STIG Summary: Cisco IOS Router NDM Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 26 Apr 2021:

The Cisco router must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.

DISA Rule

SV-215709r521266_rule

Vulnerability Number

V-215709

Group Title

SRG-APP-000516-NDM-000336

Rule Version

CISC-ND-001370

Severity

CAT I

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-000370 - The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components.

Weight

10

Fix Recommendation

Step 1: Configure the Cisco router to use an authentication server as shown in the following example:

R4(config)#radius host 10.1.48.2 key xxxxxx

Step 2: Configure the authentication order to use the authentication server as primary source for authentication as shown in the following example:

R4(config)#aaa authentication login LOGIN_AUTHENTICATION group radius local

Step 3: Configure all network connections associated with a device management to use an authentication server for the purpose of login authentication.

R4(config)#line vty 0 4
R4(config-line)#login authentication LOGIN_AUTHENTICATION
R4(config-line)#exit
R4(config)#line con 0
R4(config-line)#login authentication LOGIN_AUTHENTICATION
R4(config-line)#exit
R4(config)#ip http authentication aaa login-authentication LOGIN_AUTHENTICATION

Check Contents

Review the Cisco router configuration to verify that the device is configured to use an authentication server as primary source for authentication as shown in the following example:

aaa new-model
!
aaa authentication login LOGIN_AUTHENTICATION group radius local
…
…
…
ip http authentication aaa login-authentication LOGIN_AUTHENTICATION
ip http secure-server
…
…
…
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key xxxxxxx
…
…
…
line con 0
exec-timeout 10 0
login authentication LOGIN_AUTHENTICATION
line vty 0 4
exec-timeout 10 0
login authentication LOGIN_AUTHENTICATION

If the Cisco router is not configured to use an authentication server for the purpose of authenticating users prior to granting administrative access, this is a finding.

Vulnerability Number

V-215709

Documentable

False

Rule Version

CISC-ND-001370

Severity Override Guidance

Review the Cisco router configuration to verify that the device is configured to use an authentication server as primary source for authentication as shown in the following example:

aaa new-model
!
aaa authentication login LOGIN_AUTHENTICATION group radius local
…
…
…
ip http authentication aaa login-authentication LOGIN_AUTHENTICATION
ip http secure-server
…
…
…
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key xxxxxxx
…
…
…
line con 0
exec-timeout 10 0
login authentication LOGIN_AUTHENTICATION
line vty 0 4
exec-timeout 10 0
login authentication LOGIN_AUTHENTICATION

If the Cisco router is not configured to use an authentication server for the purpose of authenticating users prior to granting administrative access, this is a finding.

Check Content Reference

M

Target Key

4014

Comments